Enterprises in Crisis After Supply Chain Breach Exposes Sensitive Data

In a significant breach impacting over 23,000 organizations, including several large enterprises, a supply chain attack has injected credential-stealing code into an open-source software package widely used in software development. The compromised package, known as tj-actions/changed-files, is part of a collection utilized by developers on GitHub, designed to facilitate continuous integration and deployment (CI/CD) processes.

The incident occurred when attackers gained unauthorized access to a maintainer account, leading to the alteration of the source code across all versions of tj-actions/changed-files. The malicious update redefined the tags developers use to reference specific versions of the code, directing them to a file that could extract sensitive information from server memory, including credentials, which were then logged in a public format.

Experts in cybersecurity have pointed out the inherent risks associated with GitHub Actions, noting that they can modify a repository's source code and access any secret variables linked to workflows. Many users did not adhere to recommended best practices, such as using cryptographic hashes, instead trusting version tags which allowed the malicious memory scraper to execute.

A maintainer from the tj-actions team revealed that the attack was initiated through the compromise of a credential used by a bot designed for privileged access to the repository. While the exact method of credential compromise remains unclear, measures have since been taken to secure the account, including changing the password and implementing two-factor authentication.

GitHub officials have stated that there is no evidence indicating that their platform itself was compromised. They have taken precautionary steps by suspending user accounts associated with the malicious content and removing the compromised updates. After ensuring that all malicious changes were reverted, the affected content was restored.

The breach was initially detected by the security firm StepSecurity, which identified unusual network traffic patterns linked to the attack. Subsequent investigations by Wiz, another security firm, revealed that numerous repositories experienced real damage, with scripts deployed to extract secrets as part of the attack's execution. These incidents resulted in the exposure of critical information, including AWS access keys, GitHub Personal Access Tokens, and private RSA keys.

This incident highlights the ongoing vulnerabilities present within the supply chain of open-source software. Previous attacks, such as the discovery of a backdoor in the widely used xz Utils compression utility, underscore the need for stringent security measures in open-source development.

Organizations utilizing tj-actions are urged to conduct thorough inspections of their systems for any signs of compromise. This incident serves as a critical reminder for administrators to review all GitHub Actions they employ, ensuring that they use cryptographic hashes to reference previously vetted code versions rather than relying on potentially unsafe tags.